I have multiple horror stories from my days at Malwarebytes about CloudFlare. They absolutely refuse to take down people who abuse their network- at best they'll block a single file from being distributed, but then the malware authors simply change the name of the file (or, more commonly, dynamically name the file something completely random). Their network is fantastic for malicious activity, not only because of the technology but because of their policies around it.
They will do everything to keep bad sites up, even flat out lying. Here's Matt Prince, their CEO, claiming that Malwarebytes was blocking their CDN because of "political" reasons, even though we had emailed him actual PCAP files showing that their network was distributing malware-
Despite the fact that Malwarebytes actively engages with communities and groups that teach people who to manage malware removal, and have always stood for free speech and only removes harmful software, Matt Prince tried to deflect front the truth of the situation by claiming this was about censorship. Really all it was about was that multiple clients of theirs were hosting pages that were actively infecting thousands of computers.
To make matters worse they put these customers who are hosting active exploits and malware right next to their small business customers, so any time someone threatens to block them they hide behind the innocent victims who are caught in the cross fire.
I should point out that I no longer work at Malwarebytes, and this all took place several years ago. I am only speaking about the portions of this that were public, and you can find all of that in the Malwarebytes forums and other places online.
As a security analyst, Cloudflare is a great friend and a terrible enemy. I've had numerous scenarios where I request information or takedowns of websites hosting blatantly malicious content, and not only do they refuse to cancel service, but they won't even give you the real IP address of the domain even if you have considerable evidence that abusive content is hosted there.
The most they'll do is give you the name of the hosting company, and even then getting that is like pulling a tooth. And of course, once you contact the hosting company, it can become like a chicken-and-egg problem "you'll need to contact the DNS provider so I know what server this is being hosted on." A hosting provider that issues thousands of VPSs and has a big IP space may not be able to find the offending user just given a domain name.
On the plus side, I use Cloudflare on many of my sites for the free DDoS protection, IP anonymizing, and anti-bot features. So far it's been great.
In all 3 links this is the only relevant part I've been able to find regarding them being malicious:
> Heck, if the DDoS for hire services protect themselves against DDoS attacks by using CloudFlare then CloudFlare must be damn good!
So they protect their customers from DDoS attacks. All of them. I see nothing bad in this. Saying they shouldn't is like saying a government should put all criminals together in a village and then have them perform criminal activity on each other.
The link to Kreb's is basically the same: people protecting themselves. Should CloudFlare play for judge and ban people that do not violate their terms? Because I'm sure they boot people that perform illegal activities on their network or otherwise harm their network from within, but I can see why they don't proactively take down any website mentioning "we offer DDoS attacks". Like I said before, that person A kills another person doesn't mean that another person may kill person A, at least not within our current laws. Even if it did, is CloudFlare the one who should be calling the shots?
Finally your first link is someone complaining to CloudFlare about LOIC (or related perl scripts launched from VPSes) and cloudflare responds that they see no harmful traffic and that logs or other details should be attached. Merely saying "hey I'm having trouble" has never gotten anyone further in resolving issues. That's why we have logs so that CloudFlare can check their own logs to see what happened. Perfectly reasonable.
So yeah elaboration is necessary. I do not see why CloudFlare is harmful.
The point being made above is that Cloudflare charges users to protect them from attacks, but they're also providing protection (from attacks and identification) to the people performing the attacks. To many, it appears that they're helping to allow malicious activity because it benefits the sale of their services.
> Should CloudFlare play for judge and ban people that do not violate their terms? Because I'm sure they boot people that perform illegal activities on their network or otherwise harm their network from within, but I can see why they don't proactively take down any website mentioning "we offer DDoS attacks".
DDoS attacks are illegal in most countries, including the US where CloudFlare operates. It would be reasonable for them to include something in their terms about not allowing illegal activities. Then, if it's brought to their attention via a verifiable abuse complaint, yes, they should cease providing service to that user. They are a private company and do not have the obligation to provide service to any particular person; there is no "rights" issue here.
Proactively, as in proactively monitoring and reviewing each site they provide service to, would no doubt be a huge burden and difficult or impossible, but I don't think anyone has suggested that. The only thing they need to be doing is the same as any responsible ISP, have an abuse@ mailbox (which they do), review and take the appropriate action on complaints.
If it's illegal and you're harmed I'm sure you can sue the people who did it and CloudFlare will have to hand over IP addresses. But is it CloudFlare's duty to police the Internet? Like ISPs, I think they should be content neutral unless illegal content like child porn is being hosted. Merely talking about services is not illegal as far as I know; only performing the DDoS attacks is.
1. Websites hosting services that have no other purpose but to DDoS other computers are absolutely illegal. Many such sites have been taken down by the FBI before, and both users and owners of the sites have been arrested. The problem is that there are many hundreds of such sites and tens of thousands of users, and law enforcement simply can't take down each and every one. Cloudflare is relying on the fact that most people won't be able to get a subpoena or file a lawsuit.
2. You could apply that same argument to any hosting provider. They're just letting people see content that you yourself have uploaded; why should they act as Internet police? And yet every hosting provider has a legal responsibility to take action if someone is using their services to spread malware, launch DDoS attacks, or hack other websites.
Cloudflare is able to weasel itself out of it because it is not actually a hosting provider. However, they won't even let you discover the real hosting provider after showing proof of extremely blatant criminal activity. This is why many criminals flock to them: they know they will be harbored and their botnet command & control / DDoS service / malware distribution network can stay up for longer than it would normally.
I work in the information security field and we're definitely seeing more and more malicious network operators moving to Cloudflare and staying there for a long time.
I agree they should not be policing. Instead they should allow you to contact the people who are hosting the actual content. Which is where DMCA notices have to go to, for example. Since they do not host the content, they claim the DMCA should not be sent to them, but they won't tell you who to contact instead.
So what? It's not their job to help copyright holders, their job is to protect their clients' privacy. Even the cops have to get a court order to find someone's private data from a business, but since it's copyright every man and his dog claiming to be the copyright holder should be handed private information willy nilly?
So, would you consider a site where you can click a button and have a DDOS attack launched for you to be illegal? Because that's exactly what's being referred to here, "DDOS-as-a-service".
Have fun filing lawsuits and sending out subpoenas when you're just trying to host a game server as a hobby and not making money off it. Cross-jurisdictional issues will also make this very difficult, even if you know who the attacker is.
Sure. I made a post a few weeks ago at https://news.ycombinator.com/item?id=7880514. There's other relevant posts in the same thread as well, but that's probably the best overview.
They will do everything to keep bad sites up, even flat out lying. Here's Matt Prince, their CEO, claiming that Malwarebytes was blocking their CDN because of "political" reasons, even though we had emailed him actual PCAP files showing that their network was distributing malware-
https://forums.malwarebytes.org/index.php?/topic/108447-my-s...
Despite the fact that Malwarebytes actively engages with communities and groups that teach people who to manage malware removal, and have always stood for free speech and only removes harmful software, Matt Prince tried to deflect front the truth of the situation by claiming this was about censorship. Really all it was about was that multiple clients of theirs were hosting pages that were actively infecting thousands of computers.
To make matters worse they put these customers who are hosting active exploits and malware right next to their small business customers, so any time someone threatens to block them they hide behind the innocent victims who are caught in the cross fire.
I should point out that I no longer work at Malwarebytes, and this all took place several years ago. I am only speaking about the portions of this that were public, and you can find all of that in the Malwarebytes forums and other places online.